Security controls across eight Department of Health and Human Services operating divisions need to be improved to properly detect and prevent certain cyberattacks.

That’s the finding of a report by the HHS Office of Inspector General, which conducted a series of audits at eight HHS Operating Divisions (OPDIV), using network and web application penetration testing to determine how well agency systems were protected.

Brian M. Kalish/Employee Benefit Adviser

“During testing, we identified vulnerabilities in configuration management, access control, data input controls and software patching,” OIG reported. “Based on the findings of this audit, we have initiated a new series of audits looking for indicators of compromise on HHS and OPDIV systems to determine whether an active threat exists on HHS networks or whether there has been a past breach by threat actors.”

Also See: CMS needs better Medicaid breach info to identify trends

“We shared with senior-level HHS information technology management the common root causes for the vulnerabilities we identified, information regarding HHS’s cybersecurity posture and four broad recommendations that HHS should implement across its enterprise to more effectively address these vulnerabilities,” state the auditors. “We also provided separate reports with detailed results and specific recommendations to each OPDIV after testing was completed. We will be following up with each OPDIV on the progress of implementing our recommendations.”

In written comments to the OIG, HHS concurred with the auditors’ recommendations and described actions the agency has taken or plans to take to ensure the vulnerabilities are addressed. In addition, HHS said that the OPDIVs have incorporated actions to address their individual vulnerabilities and that the agency will follow up with them.